Community discussions

MikroTik App
 
gdias92
just joined
Topic Author
Posts: 2
Joined: Mon Sep 26, 2022 4:43 am

Request and Response different WANs

Mon Sep 26, 2022 5:00 am

Hello guys.

I opened a port to receive some external connections.

But the request is received via pppoe-wan-cnpj and the response is sent via pppoe-wan-cpf, this leads to a problem.

When I disable the pppoe-wan-cpf everything works fine.

I believe this is a route problem.

I was not able to change the route settings from the PPPOE connection.

Could you guys help a hopeless noob ?

Regards.
# sep/25/2022 22:40:55 by RouterOS 7.5
# software id = XXXX-XXXX
#
# model = RB5009UG+S+
# serial number = XXXXXXXXXXXX

/interface bridge
add name=bridge-lan

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 name=ether1-lan
set [ find default-name=ether2 ] l2mtu=1598 name=ether2-lan
set [ find default-name=ether3 ] l2mtu=1598 name=ether3-lan
set [ find default-name=ether4 ] l2mtu=1598 name=ether4-lan
set [ find default-name=ether5 ] l2mtu=1598
set [ find default-name=ether6 ] l2mtu=1598
set [ find default-name=ether7 ] l2mtu=1598 name=ether7-wan-cpf
set [ find default-name=ether8 ] l2mtu=1598 name=ether8-wan-cnpj

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether8-wan-cnpj name=pppoe-wan-cnpj user=xxx@xxx
add add-default-route=yes disabled=no interface=ether7-wan-cpf name=pppoe-wan-cpf user=xxx@xxx

/interface list
add name=listBridge
add name=listPppoe

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=192.168.0.41-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1

/routing table
add disabled=no fib name=routing-table-wan-cpf
add disabled=no fib name=routing-table-wan-cnpj

/interface bridge port
add bridge=bridge-lan ingress-filtering=no interface=ether1-lan
add bridge=bridge-lan ingress-filtering=no interface=ether2-lan
add bridge=bridge-lan ingress-filtering=no interface=ether3-lan
add bridge=bridge-lan ingress-filtering=no interface=ether4-lan

/ip neighbor discovery-settings
set discover-interface-list=listBridge

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set max-neighbor-entries=8192

/interface list member
add interface=bridge-lan list=listBridge
add interface=pppoe-wan-cnpj list=listPppoe
add interface=pppoe-wan-cpf list=listPppoe

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.0.1/24 interface=bridge-lan network=192.168.0.0

/ip dhcp-server lease
/// I REMOVED THIS INFO ///

/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=input comment="accept established, related" connection-state=established,related log-prefix="[FILTER #1]"
add action=accept chain=input comment="accepts everything from the internal lan" in-interface-list=listBridge log-prefix="[FILTER #2]"
add action=drop chain=input comment="drop invalid" connection-state=invalid log-prefix="[FILTER #3]"
add action=accept chain=input comment="allow ICMP" in-interface-list=listPppoe log-prefix="[FILTER #4]" protocol=icmp
add action=add-src-to-address-list address-list=PORTSCAN address-list-timeout=5w5d chain=input comment="portscan detect" connection-nat-state="" in-interface-list=listPppoe log=yes log-prefix="[FILTER #5]" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PORTSCAN address-list-timeout=5w5d chain=input comment="portscan detect v2" dst-port=20-23,3389,53,1723,3306,8291 in-interface-list=listPppoe log=yes log-prefix="[FILTER #6]" protocol=tcp
add action=add-src-to-address-list address-list=PORTSCAN address-list-timeout=5w5d chain=input comment="portscan detect v3, bloqueia tudo menos x portas" disabled=yes dst-port=!80,443 in-interface-list=listPppoe log=yes log-prefix="[FILTER #7]" protocol=tcp
add action=drop chain=input comment="drop everything else" log-prefix="[FILTER #8]"
add action=fasttrack-connection chain=forward comment="fast-track for established, related" connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=forward comment="fast-track dns tcp" dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="fast-track dns udp" dst-port=53 hw-offload=yes protocol=udp
add action=accept chain=forward comment="accept established, related" connection-state=established,related log=yes log-prefix="[FILTER #12]"
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="[FILTER #13]"
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface-list=listPppoe log=yes log-prefix="[FILTER #14]"

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=pppoe-wan-cpf log=yes log-prefix="[MANGLE #3]" new-connection-mark=mark-conn-wan-cpf passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=pppoe-wan-cnpj log=yes log-prefix="[MANGLE #4]" new-connection-mark=mark-conn-wan-cnpj passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=mark-conn-wan-cpf log=yes log-prefix="[MANGLE #5]" new-routing-mark=routing-table-wan-cpf passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting connection-mark=mark-conn-wan-cnpj log=yes log-prefix="[MANGLE #6]" new-routing-mark=routing-table-wan-cnpj passthrough=no src-address=192.168.0.0/24
add action=accept chain=prerouting in-interface-list=listPppoe log-prefix="[MANGLE #7]"

/ip firewall nat
add action=masquerade chain=srcnat log-prefix="[NAT #0]" out-interface-list=listPppoe src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="Consumer APPs" dst-port=80 in-interface-list=listPppoe log=yes log-prefix="[NAT #1]" protocol=tcp to-addresses=192.168.0.21 to-ports=8080

/ip firewall raw
add action=drop chain=prerouting comment="protect ddos attack against dns, dns only works for internal requests" dst-port=53 in-interface-list=listPppoe protocol=tcp
add action=drop chain=prerouting comment="protect ddos attack against dns, dns only works for internal requests" dst-port=53 in-interface-list=listPppoe protocol=udp
add action=drop chain=prerouting comment="portscan block" src-address-list=PORTSCAN

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.10/32,192.168.0.11/32
set api-ssl disabled=yes

/ip ssh
set strong-crypto=yes

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=routing-table-wan-cpf table=routing-table-wan-cpf
add action=lookup-only-in-table disabled=no routing-mark=routing-table-wan-cnpj table=routing-table-wan-cnpj

/system clock
set time-zone-name=America/Sao_Paulo

/system package update
set channel=long-term

/tool bandwidth-server
set authenticate=no enabled=no

/tool mac-server
set allowed-interface-list=listBridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Request and Response different WANs

Mon Sep 26, 2022 6:16 pm

Just to be clear you have a dynamic WANIP.
Thus external users wanting to access a server must use dydndns name to access one of your WANIPs.

Q1. So which WANIP is the dyndns URL setup for?

Q2, How is your WAN setup, in terms of usage for internal users?
( primary with failover, PCC load balancing etc.)

Yes its likely a routing problem and thus easily fixed but the fix is dependent upon the requirements, intentions and expectations none of which have been clearly delineated.
Thus why asking the questions...............

Q3. Do you know who is accessing your servers (make and address list of their public IPs and use this to reduce access on the dst nat rules!!)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Request and Response different WANs

Mon Sep 26, 2022 6:34 pm

Check https://wiki.mikrotik.com/wiki/Manual:PCC and study those extra mangle rules that you don't have in your config. In short, if you have multi-WAN port forwarding, router needs your help, new connections from internet must be marked based on interface and then responses must be routed back the same way based on connection marks.

Edit: On second look, study all mangle rules there, because what you have now looks like some weird mix that can hardly do any good.
 
gdias92
just joined
Topic Author
Posts: 2
Joined: Mon Sep 26, 2022 4:43 am

Re: Request and Response different WANs  [SOLVED]

Tue Sep 27, 2022 3:20 am

It's working now.

I had to:
1- Create new route tables on routing->tables.
2- Mark the connection and the route on ip->firewall->mangle.
3- Create new routes (besides the default ones) on ip->routes.

See below my "final" configuration.
# sep/26/2022 21:17:55 by RouterOS 7.5
# software id = XXXX-XXXX
#
# model = RB5009UG+S+
# serial number = XXXXXXXXXXXX

/interface bridge
add name=bridge-lan

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 name=ether1-lan
set [ find default-name=ether2 ] l2mtu=1598 name=ether2-lan
set [ find default-name=ether3 ] l2mtu=1598 name=ether3-lan
set [ find default-name=ether4 ] l2mtu=1598 name=ether4-lan
set [ find default-name=ether5 ] l2mtu=1598
set [ find default-name=ether6 ] l2mtu=1598
set [ find default-name=ether7 ] l2mtu=1598 name=ether7-wan-cpf
set [ find default-name=ether8 ] l2mtu=1598 name=ether8-wan-cnpj

/interface pppoe-client
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    ether8-wan-cnpj keepalive-timeout=disabled name=pppoe-wan-cnpj user=\
    cliente@cliente
add add-default-route=yes disabled=no interface=ether7-wan-cpf \
    keepalive-timeout=disabled name=pppoe-wan-cpf user=cliente@cliente
	
/interface list
add name=listBridge
add name=listPppoe

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=192.168.0.41-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1

/routing table
add disabled=no fib name=pppoe-wan-cpf-rot
add disabled=no fib name=pppoe-wan-cnpj-rot

/interface bridge port
add bridge=bridge-lan ingress-filtering=no interface=ether1-lan
add bridge=bridge-lan ingress-filtering=no interface=ether2-lan
add bridge=bridge-lan ingress-filtering=no interface=ether3-lan
add bridge=bridge-lan ingress-filtering=no interface=ether4-lan

/ip neighbor discovery-settings
set discover-interface-list=listBridge

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set max-neighbor-entries=8192

/interface list member
add interface=bridge-lan list=listBridge
add interface=pppoe-wan-cnpj list=listPppoe
add interface=pppoe-wan-cpf list=listPppoe

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.0.1/24 interface=bridge-lan network=192.168.0.0

/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=forward comment="LIBERA PORTA 80" dst-port=8080 \
    in-interface-list=listPppoe log=yes log-prefix="[FILTER] #1" protocol=tcp
add action=add-src-to-address-list address-list=PORTSCAN \
    address-list-timeout=5w5d chain=input comment=\
    "DETECTA E BLOQUEIA PORTSCAN" dst-port=20-23,3389,53,1723,3306,8291 \
    in-interface-list=listPppoe log=yes log-prefix="[FILTER] #2" protocol=tcp
add action=drop chain=input comment="BLOQUEIA TODAS SOLICITACOES EXTERNAS" \
    in-interface-list=listPppoe
	
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=pppoe-wan-cpf \
    new-connection-mark=pppoe-wan-cpf-conn passthrough=yes
add action=mark-connection chain=input in-interface=pppoe-wan-cpf \
    new-connection-mark=pppoe-wan-cpf-conn passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-wan-cnpj \
    new-connection-mark=pppoe-wan-cnpj-conn passthrough=yes
add action=mark-connection chain=input in-interface=pppoe-wan-cnpj \
    new-connection-mark=pppoe-wan-cnpj-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-wan-cpf-conn \
    new-routing-mark=pppoe-wan-cpf-rot passthrough=no src-address=\
    192.168.0.0/24
add action=mark-routing chain=output connection-mark=pppoe-wan-cpf-conn \
    new-routing-mark=pppoe-wan-cpf-rot passthrough=no
add action=mark-routing chain=prerouting connection-mark=pppoe-wan-cnpj-conn \
    new-routing-mark=pppoe-wan-cnpj-rot passthrough=no src-address=\
    192.168.0.0/24
add action=mark-routing chain=output connection-mark=pppoe-wan-cnpj-conn \
    new-routing-mark=pppoe-wan-cnpj-rot passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat log-prefix="[NAT #0]" out-interface-list=\
    listPppoe
add action=dst-nat chain=dstnat comment="Consumer APPs" dst-port=80 \
    in-interface-list=listPppoe log=yes log-prefix="[NAT #1]" protocol=tcp \
    to-addresses=192.168.0.21 to-ports=8080

/ip firewall raw
add action=drop chain=prerouting comment=\
    "protect ddos attack against dns, dns only works for internal requests" \
    dst-port=53 in-interface-list=listPppoe protocol=tcp
add action=drop chain=prerouting comment=\
    "protect ddos attack against dns, dns only works for internal requests" \
    dst-port=53 in-interface-list=listPppoe protocol=udp
add action=drop chain=prerouting comment="portscan block" src-address-list=\
    PORTSCAN

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-wan-cpf routing-table=\
    pppoe-wan-cpf-rot suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-wan-cnpj routing-table=\
    pppoe-wan-cnpj-rot suppress-hw-offload=no

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.10/32,192.168.0.11/32
set api-ssl disabled=yes

/ip ssh
set strong-crypto=yes

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=pppoe-wan-cpf-rot \
    table=pppoe-wan-cpf-rot
add action=lookup-only-in-table disabled=no routing-mark=pppoe-wan-cnpj-rot \
    table=pppoe-wan-cnpj-rot

/system clock
set time-zone-name=America/Sao_Paulo

/tool bandwidth-server
set authenticate=no enabled=no

/tool mac-server
set allowed-interface-list=listBridge

Who is online

Users browsing this forum: No registered users and 27 guests